Re: [syzbot] kernel stack overflow in sock_close

From: syzbot
Date: Sun Dec 11 2022 - 09:57:24 EST

Next message: Google: "Re: [PATCH v2] panic: Taint kernel if fault injection has been used"
Previous message: Max Gurtovoy: "Re: [RFC PATCH 5/5] nvme-vfio: Add a document for the NVMe device"
In reply to: syzbot: "Re: [syzbot] kernel stack overflow in sock_close"
Next in thread: syzbot: "Re: [syzbot] kernel stack overflow in sock_close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel stack overflow in sock_close

x8 : 000000000004057a x7 : ffff80000b229b58 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000002 x1 : ffff0000d0b42478 x0 : ffff0000d0b41a40
Kernel panic - not syncing: kernel stack overflow
CPU: 0 PID: 3653 Comm: syz-executor.0 Not tainted 6.1.0-rc8-syzkaller-00164-g4cee37b3a4e6-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
Call trace:
dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
panic+0x218/0x508 kernel/panic.c:274
nmi_panic+0xbc/0xf0 kernel/panic.c:169
panic_bad_stack+0x134/0x154 arch/arm64/kernel/traps.c:907
handle_bad_stack+0x34/0x48 arch/arm64/kernel/entry-common.c:849
__bad_stack+0x78/0x7c arch/arm64/kernel/entry.S:549
mark_lock+0x4/0x1b4 kernel/locking/lockdep.c:4595
lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5668
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:355 [inline]
lock_sock_nested+0x88/0xd8 net/core/sock.c:3450
lock_sock include/net/sock.h:1721 [inline]
sock_map_close+0x30/0x4bc net/core/sock_map.c:1610
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
sock_map_close+0x400/0x4bc
inet_release+0xc8/0xe4 net/ipv4/af_inet.c:428
inet6_release+0x3c/0x58 net/ipv6/af_inet6.c:488
__sock_release net/socket.c:650 [inline]
sock_close+0x50/0xf0 net/socket.c:1365
__fput+0x198/0x3e4 fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x100/0x148 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x2dc/0xcac kernel/exit.c:820
do_group_exit+0x98/0xcc kernel/exit.c:950
get_signal+0xabc/0xb2c kernel/signal.c:2858
do_signal+0x128/0x438 arch/arm64/kernel/signal.c:1071
do_notify_resume+0xc0/0x1f0 arch/arm64/kernel/signal.c:1124
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x00000,02070084,26017203
Memory Limit: none

Tested on:

commit: 4cee37b3 Merge tag 'mm-hotfixes-stable-2022-12-10-1' o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10391967880000
kernel config: https://syzkaller.appspot.com/x/.config?x=f24df90d6ec552dc
dashboard link: https://syzkaller.appspot.com/bug?extid=09329bd987ebca21bced
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=12366eb7880000

Next message: Google: "Re: [PATCH v2] panic: Taint kernel if fault injection has been used"
Previous message: Max Gurtovoy: "Re: [RFC PATCH 5/5] nvme-vfio: Add a document for the NVMe device"
In reply to: syzbot: "Re: [syzbot] kernel stack overflow in sock_close"
Next in thread: syzbot: "Re: [syzbot] kernel stack overflow in sock_close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]